Refine open source maintenance documentation and guidelines

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Require maintainer review for repository-wide changes when GitHub code owner review is enabled.
+* @K1-R1

CHANGELOG.md

@@ -8,7 +8,10 @@ changes.
 
 ## Unreleased
 
-- No unreleased changes.
+- Added `CODEOWNERS` to make the active code-owner review rule concrete.
+- Tightened public maintenance, DCO, distribution, and release-process documentation after the first
+  public release.
+- Pruned internal readiness notes into a smaller repository maintenance checklist.
 
 ## 0.4.2 - Initial Public Release
 

CODE_OF_CONDUCT.md

@@ -20,3 +20,7 @@ This project expects respectful, constructive collaboration.
 
 Maintainers may remove comments, close issues, block participants, or decline contributions that
 make the project unsafe or hostile.
+
+For urgent platform abuse, use GitHub's abuse reporting tools. For project-specific conduct concerns,
+contact the maintainer privately if a private channel is available. Do not put sensitive conduct
+reports, personal information, secrets, or vulnerability details in public issues.

CONTRIBUTING.md

@@ -14,6 +14,7 @@ Run the full local gate before proposing changes:
 
 ```sh
 scripts/verify.sh
+sh scripts/check-dco.sh main..HEAD
 ```
 
 For smaller loops:
@@ -58,6 +59,9 @@ To repair a local branch before opening a pull request:
 git rebase --signoff main
 ```
 
+GitHub also requires sign-off for web-based commits in this repository. The required PR status check
+is named `signed-off`; GitHub may display it as `dco / signed-off`.
+
 ## Pull Request Checklist
 
 - The public tool contract remains intentional and documented.

MAINTAINING.md

@@ -9,6 +9,7 @@ Before promoting a build:
 
 ```sh
 scripts/verify.sh
+sh scripts/check-dco.sh main..HEAD
 scripts/smoke-public-install.sh "$(git rev-parse origin/main)"
 scripts/install-local.sh --dry-run
 scripts/install-local.sh

README.md

@@ -7,9 +7,8 @@
 surface. It is designed for safe local branch, worktree, status, review, and exact-file
 commit workflows without exposing arbitrary Git commands or shell execution.
 
-The server is local-first: no telemetry, no remotes, no network Git operations, and no
-package-manager distribution in this repository yet. Public installation uses Go's command
-installer.
+The server is local-first: no telemetry, no remotes, no network Git operations, no binary release
+assets, and no package-manager distribution. Public installation uses Go's command installer.
 
 ## Tool Surface
 
@@ -67,6 +66,8 @@ mkdir -p "$HOME/.codex/worktrees" "$HOME/.codex/log"
 codex-safe-git-mcp --print-config
 ```
 
+For repeatable installs, use a release tag such as `@v0.4.2` instead of `@latest`.
+
 If `$(go env GOPATH)/bin` is not on `PATH`, run the installed binary by absolute path. See
 [Distribution](docs/distribution.md) for the full public and source-tree install paths.
 
@@ -118,14 +119,13 @@ scripts/verify.sh
 - [Developer Certificate of Origin](DCO.md)
 - [Security invariants](docs/invariants.md)
 - [Threat model](docs/threat-model.md)
-- [Open-source release checklist](docs/open-source-release-checklist.md)
-- [Future work](docs/future-todo.md)
+- [Repository maintenance checklist](docs/repository-maintenance.md)
 
 ## Release Status
 
-This repository is prepared for public source releases through Go module tags. The initial public
-distribution path is `go install`; Homebrew/package-manager distribution, binary release assets, and
-external release services remain deferred until there is an explicit maintainer decision.
+This repository ships public source releases through Go module tags. The supported distribution path
+is `go install`; Homebrew/package-manager distribution, binary release assets, automated publishing,
+and external release services remain deferred until there is an explicit maintainer decision.
 
 ## Contributing
 

docs/distribution.md

@@ -1,7 +1,7 @@
 # Distribution
 
-This project should be distributed as a Go command first, with source-tree installation kept for
-maintainers and contributors.
+This project is distributed as a Go command first, with source-tree installation kept for maintainers
+and contributors.
 
 ## Recommended Public Install
 
@@ -19,8 +19,8 @@ go install github.com/K1-R1/codex-safe-git/cmd/codex-safe-git-mcp@v0.4.2
 
 `go install ...@version` is the right default for a dependency-free Go command because it builds the
 published module directly and does not require users to clone the repository or run an installer
-script from the internet. Before the first release tag exists, `@latest` may resolve to a Go
-pseudo-version from the default branch; release-grade installs should use a semver tag.
+script from the internet. In forks or pre-release checkouts without tags, `@latest` may resolve to a
+Go pseudo-version from the default branch; release-grade installs should use a semver tag.
 
 The installed command is written to `GOBIN` when set, otherwise to `$(go env GOPATH)/bin`. If that
 directory is not on `PATH`, run the command by absolute path:
@@ -51,7 +51,7 @@ scripts/smoke-public-install.sh v0.4.2
 ## Source-Tree Install
 
 Use source-tree installation when developing this repository, validating a release candidate, or
-installing from a private checkout before a public release tag is available:
+installing from a checkout before the needed public release tag is available:
 
 ```sh
 git clone https://github.com/K1-R1/codex-safe-git
@@ -64,15 +64,15 @@ scripts/install-local.sh --verify-install
 The source installer builds a stable binary under `~/.codex/tools/codex-safe-git-go`, writes a
 sidecar checksum, creates the default `~/.codex/worktrees` root, and prints the Codex MCP config.
 
-## Not Recommended Initially
+## Deferred Distribution
 
-Do not use a `curl | sh` installer for the initial public release. This tool exists to narrow Codex's
+Do not use a `curl | sh` installer. This tool exists to narrow Codex's
 local Git mutation surface, so asking users to pipe a remote shell script into `sh` would send the
 wrong trust signal. A reviewed source checkout or `go install ...@version` is clearer and easier to
 audit.
 
-Do not publish package-manager distribution in the initial release. Homebrew can be added later via a
-separate tap if there is real demand, but it adds another repository, formula review surface, and
+Do not publish package-manager distribution yet. Homebrew can be added later through a separate tap
+if there is real demand, but it adds another repository, formula review surface, and
 release automation to maintain.
 
 Do not publish binary GitHub Release assets until signing, checksums, provenance, and support policy

docs/operator-guide.md

@@ -126,8 +126,8 @@ unexpected executable names, and untrusted `PATH` lookups.
 
 `main`, `master`, and the repository's configured `init.defaultBranch` are always protected. Add
 environment-specific production branch names with `CODEX_SAFE_GIT_PROTECTED_BRANCHES`, using a
-comma-separated list such as `trunk,develop,release/stable`. Protected branches cannot be commit targets, branch
-creation targets, or merge targets.
+comma-separated list such as `trunk,develop,release/stable`. Protected branches cannot be commit
+targets, branch creation targets, or merge targets.
 
 ## Landing Protected Branches